Changes between Version 23 and Version 24 of BluePrintAuthenticationAccess

Timestamp:

01/10/09 10:51:39 (16 years ago)

Author:

Fran Boon

Comment:

--

BluePrintAuthenticationAccess

@@ -1 +1 @@
 This page hosts the detailed specification for the [https://blueprints.launchpad.net/sahanapy/+spec/authentication-authorization Blueprint for Authentication & Access].
 
-Authentication is the process that verifies the identity of a user.[[BR]]
-Authorization provides controlled access to protected resources.
+Authentication is the act of establishing or confirming someone's identity.[[BR]]
+Authorization is the concept of allowing access to resources only to those permitted to use them.
 
-=== Requirements ===
+== Authentication ==
+SahanaPy currently authenticates on email address/password.[[BR]]
+- this is the T2 method.
+
+The default configuration is that Self-Registration is enabled.[[BR]]
+This can be easily disabled:
+ * Remove the link from the menu in {{{layout.html}}}
+ * Disable the function in {{{controllers/default.py}}}
+This manual process should be changed to a single setting in the default_setting table.
+
+The email address is currently not verified.[[BR]]
+- this should be fixed.
+
+Sahana2 supports OpenID (as does Launchpad), so that would be good to support & looks easy:
+ * http://openidenabled.com/python-openid/
+
+== Authorization ==
 We want to be able to provide a simple way of setting the overall security policy - allowing for flexible deployment options.
  * Anonymous access is granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated
-  * Self-Registration possible
-  * Self-Registration not possible
  * Anonymous access isn't granted for anything - all access requires a user to be Authenticated
  * Modules able to be restricted by Role membership
@@ -16 +30 @@
   * C/R/U/D permissions distinct
 
-The specification we should be working to implement is in the Wiki:
+Sahana2 specifications:
  * Proposed Trunk: http://wiki.sahana.lk/doku.php?id=dev:new_acl
  * Current Stable: http://wiki.sahana.lk/doku.php?id=dev:security
@@ -24 +38 @@
 We also want to look at linking the AAA t2_person table with the Person Registry's person table
 
-Sahana2 supports OpenID (as does Launchpad ;) ), so that would be good to support & looks easy:
- * http://openidenabled.com/python-openid/
-
 === Implementation ===
 S3 builds on the default T2 AAA system:
@@ -32 +43 @@
 
 Anonymous access is currently granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated: {{{t2.logged_in}}}
- * T2 can extend this by protecting resources with {{{t2.have_membership()}}} (functional check) & {{{t2.have_access()}}} (record-level security)
- * we should probably support this by adding hooks into the [wiki:BluePrintREST RESTlike controller]
+ * T2 can extend this by protecting resources with {{{t2.have_membership()}}} (table level security which can be separated for C/R/U/D) & {{{t2.have_access()}}} (record-level security)
+ * we should probably support these by adding hooks into the [wiki:BluePrintREST RESTlike controller]
 
-The system supports Self-Registration, which won't be appropriate for all deployment scenarios.[[BR]]
-To disable it requires:
- * Removing the link from the menu in {{{layout.html}}}
- * Disabling the function in controllers/default.py
-If self-registration is disabled then users maintenance can be done via appadmin until we develop our own UI.[[BR]]
-This will also be the case for adding extra roles anyway.
+User maintenance can be done via appadmin until we develop our own UI.[[BR]]
 
 DRAFT:
@@ -59 +65 @@
  * Function components protected with: {{{if not is_admin: t2.redirect('index',flash=T('Not Authorised'))}}}
  * appadmin protected in the same way :)
+
 === Links ===
  * Working with Realms, Users, Groups, and Roles: http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxj.html